From e3deac27313017e50700bc8ff6985a45837034d2 Mon Sep 17 00:00:00 2001
From: Stanislaw Grams <stanislawgrams@gmail.com>
Date: Fri, 13 Feb 2026 08:36:01 +0100
Subject: [PATCH] [fix](trx-client): pass HTTP auth config from TOML to server

The HTTP server was hardcoding auth config with enabled=false,
ignoring the actual configuration from trx-client.toml. This prevented
authentication enforcement even when enabled with passphrases.

Solution: Store auth config values in FrontendRuntimeContext during
initialization in main.rs, then extract and use them in server.rs
build_server() instead of hardcoding.

Fixes auth bypass where unauthenticated users could access the web UI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
---
 src/trx-client/src/main.rs                    | 13 ++++++++++
 src/trx-client/trx-frontend/src/lib.rs        | 21 ++++++++++++++++
 .../trx-frontend-http/src/server.rs           | 24 ++++++++++++-------
 3 files changed, 49 insertions(+), 9 deletions(-)

diff --git a/src/trx-client/src/main.rs b/src/trx-client/src/main.rs
index f557d15..88cc3f5 100644
--- a/src/trx-client/src/main.rs
+++ b/src/trx-client/src/main.rs
@@ -159,6 +159,19 @@ async fn async_init() -> DynResult<AppState> {
         .cloned()
         .collect();
 
+    // Set HTTP frontend authentication config
+    frontend_runtime.http_auth_enabled = cfg.frontends.http.auth.enabled;
+    frontend_runtime.http_auth_rx_passphrase = cfg.frontends.http.auth.rx_passphrase.clone();
+    frontend_runtime.http_auth_control_passphrase = cfg.frontends.http.auth.control_passphrase.clone();
+    frontend_runtime.http_auth_tx_access_control_enabled = cfg.frontends.http.auth.tx_access_control_enabled;
+    frontend_runtime.http_auth_session_ttl_secs = cfg.frontends.http.auth.session_ttl_min * 60;
+    frontend_runtime.http_auth_cookie_secure = cfg.frontends.http.auth.cookie_secure;
+    frontend_runtime.http_auth_cookie_same_site = match cfg.frontends.http.auth.cookie_same_site {
+        config::CookieSameSite::Strict => "Strict".to_string(),
+        config::CookieSameSite::Lax => "Lax".to_string(),
+        config::CookieSameSite::None => "None".to_string(),
+    };
+
     // Resolve remote URL: CLI > config [remote] section > error
     let remote_url = cli
         .url
diff --git a/src/trx-client/trx-frontend/src/lib.rs b/src/trx-client/trx-frontend/src/lib.rs
index 585a7bc..320cbeb 100644
--- a/src/trx-client/trx-frontend/src/lib.rs
+++ b/src/trx-client/trx-frontend/src/lib.rs
@@ -126,6 +126,20 @@ pub struct FrontendRuntimeContext {
     pub rigctl_listen_addr: Arc<Mutex<Option<SocketAddr>>>,
     /// Guard to avoid spawning duplicate decode collectors.
     pub decode_collector_started: AtomicBool,
+    /// HTTP frontend authentication configuration (enabled, passphrases, TTL, etc.)
+    pub http_auth_enabled: bool,
+    /// HTTP frontend auth rx passphrase
+    pub http_auth_rx_passphrase: Option<String>,
+    /// HTTP frontend auth control passphrase
+    pub http_auth_control_passphrase: Option<String>,
+    /// HTTP frontend auth tx access control enabled
+    pub http_auth_tx_access_control_enabled: bool,
+    /// HTTP frontend auth session TTL in seconds
+    pub http_auth_session_ttl_secs: u64,
+    /// HTTP frontend auth cookie secure flag
+    pub http_auth_cookie_secure: bool,
+    /// HTTP frontend auth cookie same-site policy
+    pub http_auth_cookie_same_site: String,
 }
 
 impl FrontendRuntimeContext {
@@ -144,6 +158,13 @@ impl FrontendRuntimeContext {
             rigctl_clients: Arc::new(AtomicUsize::new(0)),
             rigctl_listen_addr: Arc::new(Mutex::new(None)),
             decode_collector_started: AtomicBool::new(false),
+            http_auth_enabled: false,
+            http_auth_rx_passphrase: None,
+            http_auth_control_passphrase: None,
+            http_auth_tx_access_control_enabled: true,
+            http_auth_session_ttl_secs: 480 * 60,
+            http_auth_cookie_secure: false,
+            http_auth_cookie_same_site: "Lax".to_string(),
         }
     }
 }
diff --git a/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs b/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs
index e92f9b6..d1bb3a5 100644
--- a/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs
+++ b/src/trx-client/trx-frontend/trx-frontend-http/src/server.rs
@@ -78,18 +78,24 @@ fn build_server(
     let state_data = web::Data::new(state_rx);
     let rig_tx = web::Data::new(rig_tx);
     let clients = web::Data::new(Arc::new(AtomicUsize::new(0)));
-    let context_data = web::Data::new(context);
 
-    // Create authentication state (default: disabled)
+    // Extract auth config values before moving context
+    let same_site = match context.http_auth_cookie_same_site.as_str() {
+        "Strict" => SameSite::Strict,
+        "None" => SameSite::None,
+        _ => SameSite::Lax,  // default
+    };
     let auth_config = AuthConfig::new(
-        false,  // enabled - disabled by default
-        None,   // rx_passphrase
-        None,   // control_passphrase
-        true,   // tx_access_control_enabled
-        Duration::from_secs(480 * 60),  // session_ttl (480 minutes)
-        false,  // cookie_secure
-        SameSite::Lax,  // cookie_same_site
+        context.http_auth_enabled,
+        context.http_auth_rx_passphrase.clone(),
+        context.http_auth_control_passphrase.clone(),
+        context.http_auth_tx_access_control_enabled,
+        Duration::from_secs(context.http_auth_session_ttl_secs),
+        context.http_auth_cookie_secure,
+        same_site,
     );
+
+    let context_data = web::Data::new(context);
     let auth_state = web::Data::new(AuthState::new(auth_config.clone()));
 
     // Spawn session cleanup task if auth is enabled